Commit graph

16659 commits

Author SHA1 Message Date
Jouni Malinen
454ebb504c BSS: Use variable length array for IEs at the end of struct wpa_bss
Replace the previously used design "(u8 *) (bss + 1)" with a variable
length array at the end of struct wpa_bss bss->ies[] in hopes of making
this easier to understand for static analyzers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 16:25:17 +02:00
Jouni Malinen
be7ee264f6 BSS: Use wrapper function for getting a pointer to the IE buffer
This makes it easier to change the internal struct wpa_bss design for
storing the variable length IE buffers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 16:21:56 +02:00
Jouni Malinen
95edd81441 BSS: Add wpa_bss_get_ie_ext() wrapper
This removes need from the callers to know the struct wpa_bss details
for the location of the memory area for storing the IEs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 16:00:21 +02:00
Jouni Malinen
dba4f7a545 Mark wpa_bss_get_fils_cache_id() argument const
This function does not modify the BSS entry.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 15:52:22 +02:00
Jouni Malinen
5027f34a33 tests: Fix test description strings for couple of SAE cases
Remove the extraneous closing parenthesis.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 15:51:05 +02:00
Hai Shalom
2a7023ba6f Change list arguments to const where possible
Change struct dl_list pointer argument to const in list functions that
do not manipulate the list: dl_list_len() and dl_list_empty().

Signed-off-by: Hai Shalom <haishalom@google.com>
2020-11-16 15:50:44 +02:00
Rohan Dutta
fdf114641f nl80211: Send the sae_pwe value to the driver
Use NL80211_ATTR_SAE_PWE attribute to indicate the sae_pwe value
to the driver during the NL80211_CMD_START_AP and NL80211_CMD_CONNECT
in WPA3-Personal networks which are using SAE authentication.

Signed-off-by: Rohan Dutta <drohan@codeaurora.org>
2020-11-16 15:50:44 +02:00
Vamsi Krishna
2576f27e04 P2P: Disable P2P in the 6 GHz band for now
P2P usage in the 6 GHz band is not standardized yet by WFA. Disable P2P
operations in the 6 GHz band to avoid potential interop issues with
existing P2P devices in production. P2P operations in the 6 GHz band can
be reenabled later after defining standard ways to address potential
interop issues with existing P2P devices.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 13:15:28 +02:00
Sreeramya Soratkal
2ffd3bb4b6 P2P: Include p2p_6ghz_disable in global configuration
Previously, the configuration to disable the 6 GHz band remained local
to the P2P interface. With this there is a possibility of 6 GHz channels
being included in the channel list when the channel list needs to be
updated if the state changes on one of the interfaces.

Include the configuration to disable the 6 GHz band for P2P as a global
configuration value to prevent the inclusion of 6 GHz channels in the
channel list for P2P when the channel list needs to be updated during
the state change in one of the interfaces.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2020-11-16 13:15:28 +02:00
Vinita S. Maloo
60c902f408 Add connect fail reason code from the driver to assoc reject event
Add support to report a vendor specific connect fail reason code fetched
from the driver to users by adding the reason code to the event
CTRL-EVENT-ASSOC-REJECT. Fetch the connect fail reason code when the
driver sends a failure connection result and append the reason code, if
available, to assoc reject event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 13:15:28 +02:00
Sunil Dutt
7423fa6e8f Vendor feature capability to support concurrent sessions on Wi-Fi bands
Introduces a vendor specific feature capability
QCA_WLAN_VENDOR_FEATURE_CONCURRENT_BAND_SESSIONS to know if the device
supports concurrent network sessions on different Wi-Fi bands. This feature
capability is attributed to the hardware's capability to support the same
(e.g., DBS).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 13:15:28 +02:00
Nandha Kishore Easwaran
1934ad9b23 Add extra parameters to vendor command GPIO attribute
Add extra parameters mux_config, drive, and init_enable
to the GPIO config command.

Signed-off-by: Nandha Kishore Easwaran <nandhaki@codeaurora.org>
2020-11-16 13:15:28 +02:00
Jouni Malinen
d0e0d2283e Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-11-11.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-11-16 13:15:21 +02:00
Vinita S. Maloo
c2c4686228 Set NLA_F_NESTED flag with NL80211_ATTR_VENDOR_DATA conditionally
The newer kernel versions enforce strict netlink attribute policy
validation and will cause cfg80211 to reject vendor commands with
NL80211_ATTR_VENDOR_DATA if NLA_F_NESTED attribute is not set but
if the vendor command is expecting nested data within
NL80211_ATTR_VENDOR_DATA attribute.

Most of the earlier instances were addressed by adding NLA_F_NESTED
flag in nla_nest_start(). This commit addresses the remaining
instance in which NL80211_ATTR_VENDOR_DATA is populated using data
set by user through the control interface.

Enhance the control interface VENDOR command to indicate whether the
vendor subcommand uses nested attributes within NL80211_ATTR_VENDOR_DATA
attribute or not.

Set NLA_F_NESTED flag for existing QCA vendor commands which use nested
attributes within the NL80211_ATTR_VENDOR_DATA attributes so that the
old frameworks implementations for already existing commands work
without any issues.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-10 23:48:00 +02:00
Srinivas Girigowda
cd3aa54a37 Add test configuration attr to enable/disable full bandwidth UL MU-MIMO
Define a QCA vendor attribute
QCA_WLAN_VENDOR_ATTR_WIFI_TEST_CONFIG_FULL_BW_UL_MU_MIMO to
enable/disable full bandwidth UL MU-MIMO subfield in the HE PHY
capabilities information field for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-10 20:10:59 +02:00
Jouni Malinen
f4de21a77a BSS/scan: More conversions to for_each_element_id()
Use the common IE parsing routine in hope of trying to make the length
checks easier for static analyzers. In addition, try to make the
*_vendor_ie_multi() cases easier to analyze as well even though they
cannot use for_each_element_id().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-04 19:50:34 +02:00
Jouni Malinen
aa06444f2c dbus: Check eloop registration failure in add_watch handler
Report failures at lower layer to the upper layer D-Bus handling of
socket registration to allow failures to be addressed more cleanly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-04 19:39:08 +02:00
Jouni Malinen
56a1df71e5 BSS: Convert wpa_bss_get_vendor_ie() to use for_each_element_id()
Use the common IE parsing routine in hope of trying to make the length
checks easier for static analyzers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 21:10:01 +02:00
Jouni Malinen
ec1f4f3c81 Make GTK length validation for RSN Group 1/2 easier to analyze
This extends the changes in commit c397eff828 ("Make GTK length
validation easier to analyze") to cover the RSN case as well as the WPA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 21:10:01 +02:00
Jouni Malinen
f14df9b56a tests: Prepare for control interface message change
Update ap_wpa2_psk_supp_proto_too_long_gtk_in_group_msg to accept
upcoming change in the parsing validation step that catches the issue.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 21:10:01 +02:00
Jouni Malinen
c42d41bf35 EAP-IKEv2: Try to make transform parser simpler to understand
Use a local variable to try to make ikev2_parse_proposal() easier for
static analyzers to understand. Bounds checking in the loop is really
done by the ikev2_parse_transform() function, so the p->num_transforms
value itself is of no importance for that part and even that was already
implicitly limited in range.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 21:03:30 +02:00
Jouni Malinen
ec0d99c00e HS 2.0: Clarify OSU Friendly Name length validation
This extends the changes in commit 0570a3ea7d ("HS 2.0: Clarify OSU
Provider list length validation") to cover the length field for the OSU
Friendly Name value to try to get this easier for static analyzers to
understand.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 21:03:30 +02:00
Jouni Malinen
05962099c3 TDLS: Fix error path for TPK M1 send failure in testing functionality
The previous fix did not actually address this testing functionality
case correctly. Clear the peer pointer to avoid double freeing.

Fixes: a86078c876 ("TDLS: Fix error path handling for TPK M1 send failures")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-03 19:45:36 +02:00
Jouni Malinen
a9fed5f5b5 Avoid undefined behavior with memcpy PMK/PSK update
When SAE is used, the local pointer pmk may point to sm->PMK. Skip the
memcpy operation in such a case since it is not really needed and use of
overlapping memory buffers is undefined behavior for memcpy().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 18:46:35 +02:00
Jouni Malinen
c643c39287 nl80211: Fix filtering of unsupported bands/modes
The loop for removing unsupported bands was assuming there is always
exactly one band/mode following the removed band. That was not at all
correct, so fix this by dynamically determining how many (if any) bands
need to be moved.

Fixes: 106d67a93c ("nl80211: Filter out unsupported bands")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 18:38:41 +02:00
Jouni Malinen
3b89dbaa7d tests: TDLS with SAE
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 17:40:18 +02:00
Jouni Malinen
a86078c876 TDLS: Fix error path handling for TPK M1 send failures
Local allocation error or failure to get a random number could have
resulted in the peer entry getting freed and couple of the error path
cases in callers could have tried to reference or delete the peer after
that. Fix this by tracking the errors where the peer is freed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 17:26:04 +02:00
Jouni Malinen
3d490296bc DPP2: Fix error path handling in enterprise provisioning
The allocated memory pointed by the pem pointer was freed on an error
path without clearing the pointer to NULL before returning it from the
function. This could have resulted in use of freed memory in an error
case. Fix this by clearing the pointer so that the function returns NULL
properly in the case of this error.

Fixes: ace3723d98 ("DPP2: Enterprise provisioning (Enrollee)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 16:52:01 +02:00
Jouni Malinen
f724dd1bfd Remove unused variable update
Commit e8b85c078e ("iface match: Unspecified matched interfaces should
not log driver fails") removed the only use of the added interface wpa_s
pointer, but left that pointer setting in place. Remove it to keep
static analyzers happy.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 16:36:14 +02:00
Jouni Malinen
589bf1f7a9 DPP2: Fix ppkey parsing
DPP_CONFIGURATOR_ADD processing of the new ppkey parameter had a
copy-paste error in determining the correct length of this parameter.
Fix that by referencing the correct pointer.

Fixes: 9c1fbff074 ("DPP2: Generate a privacy protection key for Configurator")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-02 16:31:02 +02:00
Veerendranath Jakkam
79e3f08d3c 6 GHz: Add support for missing 6 GHz operating classes
Add support for missing 6 GHz operating classes as defined in
IEEE P802.11ax/D7.0.

This is needed to avoid OCV failures on the 6 GHz band when the channel
width is larger than 20 MHz.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-10-30 22:52:47 +02:00
Veerendranath Jakkam
66bed14b22 6 GHz: Fix opclasses mapping in ieee80211_freq_to_channel_ext()
Previously only primary channel number used to calculate 6GHz operating
class in ieee80211_freq_to_channel_ext() and it is always giving 131
operating class. Fix this by mapping operating class using chanwidth and
sec_channel also.

This is needed to avoid OCV failures on the 6 GHz band when the channel
width is larger than 20 MHz.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-10-30 14:20:50 +02:00
Hai Shalom
5e779873ed EAP-SIM peer: Send AT_IDENTITY first
For EAP-SIM connections, reorder the order of the attributes in
EAP-Response/SIM/Start message: Send AT_IDENTITY first, then
AT_NONCE and AT_VERSION instead of AT_IDENTITY last. Even though there
is no order requirements in the RFC, some implementations expect the
order of the attributes to be exactly as described in the RFC figures.

Peer                                      Authenticator
|                                                 |
|                      +------------------------------+
|                      | Server does not have a       |
|                      | Subscriber identity available|
|                      | When starting EAP-SIM        |
|                      +------------------------------+
|                                                 |
|          EAP-Request/SIM/Start                  |
|          (AT_ANY_ID_REQ, AT_VERSION_LIST)       |
|<------------------------------------------------|
|                                                 |
|                                                 |
| EAP-Response/SIM/Start                          |
| (AT_IDENTITY, AT_NONCE_MT,                      |
|  AT_SELECTED_VERSION)                           |
|------------------------------------------------>|
|                                                 |

Signed-off-by: Hai Shalom <haishalom@google.com>
2020-10-30 13:59:49 +02:00
Pooventhiran G
0577e8e679 nl80211: Check for proper nlmsg allocation in send_and_recv_msgs_owner()
When nlmsg allocation fails, nl80211_drv_msg() returns NULL and the call
to send_and_recv_msgs_owner() from nl80211_leave_ibss() could have ended
up dereferencing a NULL pointer. Fix this by make
send_and_recv_msgs_owner() more consistent with other send_and_recv*()
cases that check msg == NULL internally.

Fixes: 12ea7dee31 ("nl80211: Use nl80211 control port for receiving EAPOL frames")
Signed-off-by: Pooventhiran G <pooventh@codeaurora.org>
2020-10-27 11:39:45 +02:00
Disha Das
02289ab537 DPP2: Explicitly check EC_KEY before dereferencing it
In theory, the EVP_PKEY_get0_EC_KEY() could fail, so verify that it
succeeds before using the pointer to get the group.

Fixes: 65e94351dc ("DPP2: Reconfig Authentication Request processing and Response generation")
Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-10-27 11:33:15 +02:00
Sreeramya Soratkal
c575904761 P2P: Consider BSS entry pending for P2P joining as a known BSS
Consider the BSS entry that is pending for the P2P group join operation
also as a known network along with the existing configured networks.
This prevents removal of the BSS entry that is still in the process of
P2P join operation from the BSS table when the number of entries exceed
bss_max_count.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2020-10-26 22:39:42 +02:00
Jouni Malinen
106d67a93c nl80211: Filter out unsupported bands
If the driver indicates capability for a band that
hostapd/wpa_supplicant does not support, the struct hostapd_hw_modes
array of bands got an empty entry for that with NUM_HOSTAPD_MODES as the
mode. This resulted in various issues, e.g., with fst_hw_mode_to_band()
hitting a WPA_ASSERT(0).

Fix this by filtering out unsupported bands from the internal data
structures.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-26 22:34:07 +02:00
Sreeramya Soratkal
9c39c1a6d3 P2P: Include p2p_add_cli_chan parameter while cloning the configuration
The dynamically created P2P group interface did not consider the
channels that can be used by the P2P client during the P2P group
formation. Copy the p2p_add_cli_chan parameter while cloning the
configuration to the P2P group interface. This allows the dynamically
created group interface case to form the group in the specific
client-only channels when the device is a P2P client in the group.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2020-10-22 23:51:54 +03:00
Sunil Dutt
8f0ed71ffe Vendor specific feature capability for Adaptive 11r
Add feature capability indication for Adaptive 11r for the drivers
to advertize support for this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-22 23:51:34 +03:00
Arun Kumar Khandavalli
45ae6ae8e1 Add additional vendor specific hang reason codes
Add additional hang reason codes in enum qca_wlan_vendor_hang_reason to
address potential internal failure cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-22 23:47:12 +03:00
Jouni Malinen
2d8a7cf3f5 tests: Update dpp_controller_rx_errors to use the assigned TCP port
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-21 00:31:01 +03:00
Jouni Malinen
d2190cdc65 DPP2: Update the default port number for DPP-over-TCP
IANA assigned the TCP port 8908 for DPP, so update the implementation to
match the formal assignment.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-21 00:29:38 +03:00
Jouni Malinen
5d988b4a5b Fix couple more typos
Couple of similar cases that were not included in the previous commit.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-20 00:37:01 +03:00
Yegor Yefremov
b439b21a2f wpa_supplicant: Fix typos
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2020-10-20 00:37:01 +03:00
Jouni Malinen
ac835ea092 tests: SAE status code handling
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-20 00:37:01 +03:00
Jouni Malinen
183e72ae13 SAE-PK: Do not accept SAE-PK status code when no PK is configured
Make sae_status_success() more explicit by rejecting SAE-PK status code
when the AP is not configured with PK.

Fixes: 20ccf97b3d ("SAE-PK: AP functionality")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-20 00:37:01 +03:00
Andrei Otcheretianski
80662accb5 SAE: Don't use potentially uninitialized keys
If SAE_CONFIG_PK is not defined and sae->pk isn't zero (which is
possible as it is controlled by the commit message status code),
sae_derive_keys() may end up deriving PMK and KCK from an
uninitialized array. Fix that.

Fixes: 6b9e99e571 ("SAE-PK: Extend SAE functionality for AP validation")
Fixes: 20ccf97b3d ("SAE-PK: AP functionality")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2020-10-20 00:37:01 +03:00
Andrei Otcheretianski
b4c7114cf5 wpa_supplicant: Remove unfeasible conditions in config parsing
pos can't be NULL in wpa_global_config_parse_str(), so there is no point
checking this, especially when pos was already dereferenced earlier.
Remove the redundant conditions.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2020-10-19 23:05:33 +03:00
Andrei Otcheretianski
ff7e0c1cf7 wpa_cli: Don't access uninitialized variables
Don't print potentially uninitialized variables in wpa_ctrl_command_bss().
Some compilers and analyzers may warn about it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2020-10-19 23:01:11 +03:00
Pooventhiran G
e364a34c69 OpenSSL: Make openssl_debug_dump_certificate() more robust
SSL_CTX_get0_certificate() returns NULL if no certificate is installed.
While this should not be the case here due to the loop in
openssl_debug_dump_certificate_chains() proceeding only if the
SSL_CTX_set_current_cert() returns success, it is safer to make
openssl_debug_dump_certificate() explicitly check against NULL before
trying to dump details about the certificate.

Signed-off-by: Pooventhiran G <pooventh@codeaurora.org>
2020-10-19 22:57:24 +03:00